Intune: Schakel Uit AutoPlay For All Drives

πŸ’Ό Management Samenvatting

Schakel uit AutoPlay voor ALL drives - voorkomt automatic malware execution from USB/removable media (classic attack vector).

Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
7/10
Implementatie
2u (tech: 1u)
Van toepassing op:
βœ“ Windows 10
βœ“ Windows 11

AutoPlay = USB malware delivery: Attack: Malicious USB stick (dropped in parking lot, mailed to office), User: Inserts USB β†’ AutoPlay: Automatically runs autorun.inf β†’ malware executes (NO user interaction), Malware: Ransomware, credential stealer, backdoor. Reality: Stuxnet (2010) used USB AutoPlay, still common attack vector (social engineering + USB). Defense: Schakel uit AutoPlay β†’ user must manually browse USB β†’ malware NOT auto-executed.

PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.DeviceManagement

Implementatie

Schakel uit AutoPlay: All drives: USB, CD/DVD, network drives, Policy: Turn off AutoPlay: Enabled (all drives), User experience: Insert USB β†’ NO automatic action β†’ user opens File Explorer manually. Exception: NONE (no legitimate business need voor AutoPlay).

Vereisten

  1. Intune subscription
  2. Windows 10/11

Implementatie

Intune Settings Catalog: AutoPlay Policies β†’ Turn off AutoPlay: Enabled (All drives). Effect: No automatic USB execution.

Compliance

CIS Windows Benchmark L1, BIO 12.02, ISO 27001 A.12.2.1, NIST SI-3.

Monitoring

Gebruik PowerShell-script autoplay-disabled.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script autoplay-disabled.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Intune Security Options: AutoPlay Disabled .DESCRIPTION CIS - AutoPlay moet disabled voor alle drives. .NOTES Filename: autoplay-disabled.ps1|Author: Nederlandse Baseline voor Veilige Cloud|Registry: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun|Expected: 255 (All) #> #Requires -Version 5.1 #Requires -RunAsAdministrator [CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert) $ErrorActionPreference = 'Stop'; $RegPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer"; $RegName = "NoDriveTypeAutoRun"; $ExpectedValue = 255 function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) } function Test-Compliance { $r = [PSCustomObject]@{ScriptName = "autoplay.ps1"; PolicyName = "AutoPlay"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = "Disabled (255)"; Details = @() }; function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue } try { if (Test-Path $RegPath) { $v = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue; if ($v -and $v.$RegName -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "AutoPlay disabled all drives" }else { $r.Details += "AutoPlay: $($v.$RegName) (255=All disabled)" } }else { $r.Details += "Niet geconfigureerd" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r } function Invoke-Remediation { if (-not(Test-Path $RegPath)) { New-Item -Path $RegPath -Force | Out-Null }; Set-ItemProperty -Path $RegPath -Name $RegName -Value $ExpectedValue -Type DWord -Force; Write-Host "AutoPlay disabled for all drives" -ForegroundColor Green } function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r } function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue } try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }

Risico zonder implementatie

Risico zonder implementatie
High: Hoog: AutoPlay = automatic USB malware execution (no user interaction).

Management Samenvatting

Schakel uit AutoPlay (all drives). USB malware defense. Zero business impact. Implementatie: 1-2 uur.